Hints autodiscover does not work for Docker when hints.default_config is not set for Filebeat >= v8.12.0 #45864
Description
This affects all versions of Filebeat >= v8.12.0, including all 9.x releases.
To reproduce the issue start Filebeat with the following autodiscover configuration and no data will be ingested.
filebeat.autodiscover:
providers:
- type: docker
hints.enabled: trueEnabling debug logs we can see the issue, data.kubernetes.container.id cannot be resolved.
{"log.level":"debug","@timestamp":"2025-08-08T16:15:11.212Z","log.logger":"autodiscover","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/autodiscover/template.ApplyConfigTemplate","file.name":"template/config.go","file.line":157},"message":"Configuration template cannot be resolved: field 'data.kubernetes.container.id' not available in event or environment accessing 'paths'","service.name":"filebeat","ecs.version":"1.6.0"}
This problem happens because the hints based autodiscover uses a default template to ingest logs that is hardcoded and the same to all providers.
In v8.11.4 it was:
func defaultConfig() config {
defaultCfgRaw := map[string]interface{}{
"type": "container",
"paths": []string{
// To be able to use this builder with CRI-O replace paths with:
// /var/log/pods/${data.kubernetes.pod.uid}/${data.kubernetes.container.name}/*.log
"/var/lib/docker/containers/${data.container.id}/*-json.log",
},
}
defaultCfg, _ := conf.NewConfigFrom(defaultCfgRaw)
return config{
Key: "logs",
DefaultConfig: defaultCfg,
}
}And it changed in v8.12.0 to:
func defaultConfig() config {
defaultCfgRaw := map[string]interface{}{
"type": "filestream",
"id": "kubernetes-container-logs-${data.kubernetes.container.id}",
"prospector": map[string]interface{}{
"scanner": map[string]interface{}{
"fingerprint.enabled": true,
"symlinks": true,
},
},
"file_identity.fingerprint": nil,
"parsers": []interface{}{
map[string]interface{}{
"container": map[string]interface{}{
"stream": "all",
"format": "auto",
},
},
},
"paths": []string{
"/var/log/containers/*-${data.kubernetes.container.id}.log",
},
}
defaultCfg, _ := conf.NewConfigFrom(defaultCfgRaw)
return config{
Key: "logs",
DefaultConfig: defaultCfg,
}
}Workaround
There are two key changes there:
- The input changed from
containertofilestream. On its own this does not prevent data to be ingested in the new version. However this will cause all existing files to be re-ingested because the input changed. - The paths and id fields now use
${data.kubernetes.container.id}, howeverdata.kubernetesis only present when using Kubernetes autodiscover. This breaks rendering the template for Docker. No inputs are started, no data is ingested.
The workaround is to define a new default template for the hints configuration that matches your provider/environment, for Docker you can use:
filebeat.autodiscover.providers:
- type: docker
hints.enabled: true
hints.default_config:
type: filestream
id: container-${data.container.id}
prospector.scanner.symlinks: true
prospector.scanner.fingerprint.enabled: true
file_identity.fingerprint: ~
parsers:
- container: ~
paths:
- /var/lib/docker/containers/${data.container.id}/*.logThe original issue was reported by #45156. I created this one to focus on the core issue and decouple from ECK, which is not directly related to the issue.